Just days after notifying potential victims of a data breach, Pompano Beach-based ComplyRight was named as defendant in lawsuits by plaintiffs who haven't yet claimed they've been victims of fraud. More courts are allowing such claims to stand, experts say.

Just days after notifying potential victims of a data breach, Pompano Beach-based ComplyRight was named as defendant in lawsuits by plaintiffs who haven't yet claimed they've been victims of fraud. More courts are allowing such claims to stand, experts say. (Courtesy photo)

The company sent letters to customers on July 13 stating that names, addresses, telephone numbers, email addresses and Social Security numbers were “accessed and/or viewed” in what it called “unauthorized access” of its website between April 20 and May 22. It said it was unaware of any identity fraud resulting from the breach and told letter recipients they were entitled to 12 months of free credit monitoring.

A week after sending the letter, five Chicago attorneys sued the company in the Northern District of Illinois on behalf of Susan Winstead, identified in the suit only as a resident of Illinois. Winstead received a letter from ComplyRight on July 17, three days before the suit was filed on July 20, the suit said.

The suit cites a nearly two-month lag between when ComplyRight said it discovered the data breach and when it sent the notification letters, saying the company kept the incident secret during its forensic investigation and gave the data thieves three months since the breach began “to perpetuate fraud … with no victim aware of the threat.”

The number of victims is unknown, the suit said, but “Plaintiff has reason to believe that the number of impacted individuals is very large.”

On July 26, Fort Lauderdale attorney Seth M. Lehrman of the firm Edwards Pottinger LLC filed a suit in U.S. District Court in Fort Lauderdale on behalf of plaintiffs Robert Bohannon of Granger, Ind., and Holly Buckingham of Woodbine, Md.

The suit did not claim that identity thieves had impersonated Bohannon or Buckingham, or that they had suffered financial damages beyond the fact that “Buckingham has spent at least two business days expending effort to ensure her Personal Information is not used by the hackers and that her identity is not stolen.”

Bohannon and Buckingham were “injured,” the suit stated, because ComplyRight “failed to adequately safeguard” their personal information.

Likewise, Winstead and other members of the class suffered “injuries and damages” because they are now at increased risk of identity theft and fraud and because of expenses and the value of their time spent mitigating the increased risk of fraud.

None of the attorneys responded to emails from the Sun Sentinel seeking comment about the suit. ComplyRight also did not respond to requests to discuss this story, or the initial report about its data breach notifications.

ComplyRight, identified in the suits as a Minnesota company with its principal place of business in Pompano Beach, provides human resources services for small businesses and told victims their information would have been in the company’s online database because it was entered on tax forms by employers or payers, including Forms 1099 and W-2.

Both suits seek certification as class actions, damages to the plaintiffs and other class members, and plaintiffs’ attorneys fees, costs and expenses.

These days, it’s common after data breaches make the news for plaintiffs’ attorneys to engage in “a race to the courthouse” to file class-action suits even before plaintiffs are victimized by identify theft in hopes that defendants will opt to settle rather than litigate, said Nathan Taylor, a cybersecurity attorney with Morrison Foerster LLP in Washington, D.C.

“Plaintiffs’ attorneys want to get there before other plaintiffs’ attorneys,” Taylor said.

He said more courts are denying motions by defendants to dismiss class-action data breach cases on grounds that plaintiffs lack standing because they haven’t yet suffered damages from identity fraud.

Courts are increasingly agreeing with plaintiffs that time spent by data breach victims enrolling in credit monitoring services, calling credit cards companies, and dealing with paperwork has a monetary value, according to an April blog entry by Morrison Foerster attorneys Tiffany Cheung and Morgan Donoian MacBride.

When motions to dismiss are denied, defendants will choose to settle rather than proceed to trial in nearly all cases, Taylor said.

Notable settlements in recent years include $115 million agreed to by health insurer Anthem Inc. last year after a breach compromised almost 80 million customers, and $19.5 million that Home Depot agreed to pay to compensate customers affected by a 2014 breach. Last year, Home Depot agreed to pay $27 million to affected credit card companies.

Taylor said he is unaware of any data breach lawsuit that resulted in a trial over the question of defendants failing to adequately secure their customers’ information.

“Companies don’t want to go to trial against their customers,” he said.